I Hope This Helps
Carl Trusiak, SCJP2, SCWCD
Originally posted by Jamie Young:
Thank you for joining us today. It is always nice to have an oportunity to win a free book. I never do, but one day I will get lucky :> )
I may have some java security questions soon in the future.
The program that I am working on now will adventually require the users to login to determine thier user priviliages. We are using Win2000 as our operating system. We are even using the jdk1.4 beta version because of certian required methods that are not in the 1.3 version.
Where would you think that I should start my research on how I should implement this security issue in my java program?
Would you recommend a certain package that I can import and use?
Does your book cover logging in and establishing users from a java program?
Jess Garms<br />Author of "<a href="http://www.amazon.com/exec/obidos/ASIN/1861004257/electricporkchop" target="_blank" rel="nofollow">Professional Java Security</a>"
Originally posted by Gregg Bolinger:
First, how much JAVA cryptology does your book cover, if any, and what do you believe to be the best way to secure your class files? I realize that there is always a way to hack into anything, but I might as well make it as tough as possible.
Jess Garms<br />Author of "<a href="http://www.amazon.com/exec/obidos/ASIN/1861004257/electricporkchop" target="_blank" rel="nofollow">Professional Java Security</a>"
Originally posted by David Garland:
Is RMI safe?
Jess Garms<br />Author of "<a href="http://www.amazon.com/exec/obidos/ASIN/1861004257/electricporkchop" target="_blank" rel="nofollow">Professional Java Security</a>"
Originally posted by JUNILU LACAR:
Just wondering what kind of coverage this book gives on security in J2EE applications. I'm looking for some discussion on various strategies for securing a J2EE application and pros and cons of the strategies. Any feedback would be greatly appreciated.
Jess Garms<br />Author of "<a href="http://www.amazon.com/exec/obidos/ASIN/1861004257/electricporkchop" target="_blank" rel="nofollow">Professional Java Security</a>"
Originally posted by ruilin yang:
Jess and others,
If I use only JSP/Servlet as server-side programs, my system would can not be as secue as a system built with EJB's since EJB technology gives you more chances/places to implement security protocols.
Is it correct ? This means with EJB you can have a more secure system.
Thanks,
Ruilin
Daniel Somerfield<br />Author of <a href="http://www.amazon.com/exec/obidos/ASIN/1861004257/ref=ase_electricporkchop" target="_blank" rel="nofollow">Professional Java Security</a>
Originally posted by Gina Peers:
Do you have any idea when a production-quality release of J2SE 1.4 with JAAS will be coming out? I couldn't find it on Sun's site...
Jess Garms<br />Author of "<a href="http://www.amazon.com/exec/obidos/ASIN/1861004257/electricporkchop" target="_blank" rel="nofollow">Professional Java Security</a>"
Take a Minute, Donate an Hour, Change a Life
http://www.ashanet.org/workanhour/2006/?r=Javaranch_ML&a=81
Originally posted by David Bejjam:
Is JCE & JSSE bundled with the current version of J2EE.
Jess Garms<br />Author of "<a href="http://www.amazon.com/exec/obidos/ASIN/1861004257/electricporkchop" target="_blank" rel="nofollow">Professional Java Security</a>"
Originally posted by mohit joshi:
I have been trying for more then a year to make the sample JSSE example work. if you look at sample\sockets\server\ClassFileServer.java
Theoretically you should be able to start this service and then access it over https, but I have not suceeded in doing this. Earlier it used to get stuck while doing the Handshake.
Now it throws
java.security.NoSuchAlgorithmException: Algorithm TLS not available
at com.sun.net.ssl.b.a([DashoPro-V1.2-120198])
at com.sun.net.ssl.SSLContext.getInstance([DashoPro-V1.2-120198])
at ClassFileServer.getServerSocketFactory(ClassFileServer.java:138)
at ClassFileServer.main(ClassFileServer.java:115)
Exception in thread "main" java.lang.NullPointerException
at ClassFileServer.main(ClassFileServer.java:116)
Can anybody help me with this..
Jess Garms<br />Author of "<a href="http://www.amazon.com/exec/obidos/ASIN/1861004257/electricporkchop" target="_blank" rel="nofollow">Professional Java Security</a>"
Originally posted by mohit joshi:
thanks for the prompt reply. However I have statically registered the provider as follows in the file:
<java-home>\lib\security\java.security
#
# List of providers and their preference orders (see above):
#
security.provider.1=sun.security.provider.Sun
security.provider.2=com.sun.net.ssl.internal.ssl.Provider
which should have the same effect? Or do you think Dynamic registration might help in my case?
Also I do have the three jar files in my classpath..., since I am able to compile the sample files.
Regards
Mohit Joshi
[This message has been edited by mohit joshi (edited August 22, 2001).]
Jess Garms<br />Author of "<a href="http://www.amazon.com/exec/obidos/ASIN/1861004257/electricporkchop" target="_blank" rel="nofollow">Professional Java Security</a>"
Originally posted by ruilin yang:
Jess/Daniel,
When we implement security to an application/system what kind of granuality should you recommend ? I mean what is the guideline to design a security system for an application ? Are there any pattern to follow ?
Jess Garms<br />Author of "<a href="http://www.amazon.com/exec/obidos/ASIN/1861004257/electricporkchop" target="_blank" rel="nofollow">Professional Java Security</a>"
Originally posted by ravi bask:
Jess/Daniel
Is Java the best language for implementation security,
and is the Book u guys wrote is for beginners or is it for above beginners,
And Does it tells how to implement security in effecient way, b'cos some books doesn't tell how we can improve our performance while coding for Security,
i guess anyone can implement security in their applications by using Java API's, but how do we implement the security is the real problem i guess,
Jess Garms<br />Author of "<a href="http://www.amazon.com/exec/obidos/ASIN/1861004257/electricporkchop" target="_blank" rel="nofollow">Professional Java Security</a>"
Originally posted by mohit joshi:
Figured out a way of doing it..
One has to define a new TrustManager and use it while creating the SSLSocketFactory as follows..
SSLContext sc = SSLContext.getInstance("TLS");
TrustManager []tma = {new MyX509TrustManager()};
sc.init(null, tma , null );
SSLSocketFactory factory = sc.getSocketFactory();
SSLSocket socket =
(SSLSocket)factory.createSocket("localhost", 443);
The MyX509TrustManager class can be defined as..
class MyX509TrustManager implements X509TrustManager
{
public boolean isClientTrusted
(java.security.cert.X509Certificate [] chain)
{return true;
}
public boolean isServerTrusted
(java.security.cert.X509Certificate [] chain)
{return true;
}
public java.security.cert.X509Certificate[]
getAcceptedIssuers ()
{return null;
}
}
Of course these methods could be more elaborate depending on your requirements...
Regards
Mohit Joshi
Jess Garms<br />Author of "<a href="http://www.amazon.com/exec/obidos/ASIN/1861004257/electricporkchop" target="_blank" rel="nofollow">Professional Java Security</a>"
Originally posted by PAVAN KUMAR99:
Does the book cover Java security in relation with some of the authentication systems like Kerberos.
Also one more basic question is? Is there a way to decode a MD5 Hashed string, using the MessageDigest class.
Jess Garms<br />Author of "<a href="http://www.amazon.com/exec/obidos/ASIN/1861004257/electricporkchop" target="_blank" rel="nofollow">Professional Java Security</a>"
Associate Instructor - Hofstra University
Amazon Top 750 reviewer - Blog - Unresolved References - Book Review Blog
Originally posted by PAVAN KUMAR99:
Does the book cover Java security in relation with some of the authentication systems like Kerberos.
Also one more basic question is? Is there a way to decode a MD5 Hashed string, using the MessageDigest class.
Originally posted by Dirk Trompetter:
Hi,
does the book cover java security on mobile phones?
thanks,
dirk
Daniel Somerfield<br />Author of <a href="http://www.amazon.com/exec/obidos/ASIN/1861004257/ref=ase_electricporkchop" target="_blank" rel="nofollow">Professional Java Security</a>
Bring me the box labeled "thinking cap" ... and then read this tiny ad:
Smokeless wood heat with a rocket mass heater
https://woodheat.net
|